Is antivirus software really necessary?

[Aspman]

an AV is never NEEDED as the original question posed

In the purest sense of that statement you are completely correct. With enough time and knowledge a single computer or a network could be set up so that a virus would not be able to function on the system making the need for AV moot.

Taking the point above the 'need' or 'requirement' for AV is a result of the way the system was set up and administrated rather than an inherant 'need' of the system itself.

Even on a system set up to the standard you describe where AV is not 'needed' it could well be 'required' for insurance cover and to meet other regulations which may state a requirement for AV to be present on a system.
This is not to mention the comfort factor of having AV ,"just in case", as mentioned before.

[catch]

In the purest sense of that statement you are completely correct.

In every sense this is correct... the only systems that benefit from AVs are those with poor architecture that allows random processes unmitigated access... if a virus can do that, why can't an attacker? The whole system is just ****ed and viruses are the least of your worries... although you'd prolly put them higher up because you get hit with so damned many of them in this case.

With enough time and knowledge a single computer or a network could be set up so that a virus would not be able to function on the system making the need for AV moot.

Or by using common sense and utilizing both roles and a finely grained security infastructure an entire organization can be by a competent infosec team and very simple procedures.

Even on a system set up to the standard you describe where AV is not 'needed' it could well be 'required' for insurance cover and to meet other regulations which may state a requirement for AV to be present on a system.

I can think of no such requirement... the organization I work for is accountable to various ISO, DOD, and MIL standards not to mention privacy and fiscal accountablity standards... and yet we have no AV system. Why? Because none is required... even ISO17799 which specifically mentions virus protection does not require anti-virus software. It merely states that you must have a clearly established and defined method of dealing with viruses. Using sandboxing, multi-account sessions, and least privilege are all acceptable under best practices.

This is not to mention the comfort factor of having AV ,"just in case", as mentioned before.

If running more software (which by definition under DOD-5200.28-STD is a bad idea since you are placing security related software which not only needlessly increases complexity AND falls outside of the systems assurance audit, but also exists outside of the TCB) makes you feel better, that is fine. Doesn't make it the best or most correct solution.

cheers.

catch

[ss2chef]

Originally posted here by catch


I can think of no such requirement... the organization I work for is accountable to various ISO, DOD, and MIL standards not to mention privacy and fiscal accountablity standards... and yet we have no AV system. Why? Because none is required... even ISO17799 which specifically mentions virus protection does not require anti-virus software. It merely states that you must have a clearly established and defined method of dealing with viruses. Using sandboxing, multi-account sessions, and least privilege are all acceptable under best practices.


If running more software (which by definition under DOD-5200.28-STD is a bad idea since you are placing security related software which not only needlessly increases complexity AND falls outside of the systems assurance audit, but also exists outside of the TCB) makes you feel better, that is fine. Doesn't make it the best or most correct solution.

I can't speak for all agencies but for all of our IA (Information Assurance) enabled devices, a "gold disk" STIG run against a windows based system not using anti-virus will be flagged with a finding and point to the CERT to obtain approriate anti-virus software using the following references:

NSA Guide: Chap. 2, p. 15
DISA FSO NT Addendum: Section 7.4
DODD 8500.1 Para 4.18
DODI 8500.2 DCCS-2, DCSC-1
CJCSM 6510.01 App. A, Enclosure A, Para. 5.b (8)

A waiver can be applied for but our IAO (Information Assurance Officer) has the final call.

This is under the DLA (Defense Logistics Agency) and DLIS (Defense Logistics Information Service)

[SawPer]

Very interesting thread.. heh!!

I can see both views, but for any kinda person using a computer in a network or on the internet cummunicating in any way with others, you are not depending soley on your own knowledge and the right way of doing things...

Let say you educate all the employees in your company to not ever open mail from "untrusted" sources. ...now you are safe, so safe you don't need any AV??

I wouldn't think so, they cummunicate (in most companies at least.. heh!) with others that you as an admin have no control over at all.. ! If your customer has been compromised, and this customer now is sending for example an infected email or document to you, this "trusted" source could now potentially infect your whole network.. !

I would say in very rare cases, where you don't depend on anybody else, or you are not hooked up to a network, you could safely be without any AV, but other wise it would easily be asking for trouble...

Anyways, just the fact the guy who initially wrote the question was in fact infected with a few viruses already there tells he needs an AV solution!

[Tiger Shark]

I didn't even bother reading this thread till now because I thought it was just going to repeat the same old stuff.... But I decided to read the first page and decided to keep reading when Catch got involved because it is often amusing and enlightening.... After three pages we are definitely at the amusing stage as witnessed by the number of hidden posts - Catch put the cat amongst the pigeons again.... <LOL>

By far the most amusing and insightful comment to date is attributable to HT:-

To spread a virus, you need an idiot...

Nice one HT.... I might use that in a sig in the future....

The next statement that catches my eye, (so to speak), is compliments of Shagdevil:-

The first time I had to sit down and deal with a real bitch of a virus, is the first time I really started learning about the more intricate details about the operation of a PC.

I have to absolutely agree here... It reminded me of my first encounter with Stoned in the early 90's, tracking it back to a corporate networking "guru" and nearly getting fired for bringing it to the attention of corporate, (NOTE: The guru was upgrading all 95 offices nationwide with his infected disks - I was the naughty one for bringing it to his attention - They subsequently found out I was right - did I get a letter of apology to go with my letter or reprimand? Nope! Wankers... ). But Shag is right in many cases... Some of us cut our teeth removing this crap.

For the OP:

Allow me to abstract this in order to clarify the two, (completely at odds), sides you have seen in this debate.

You need to work out you amortization schedule for a morgage you wish to purchase. You don't know how to do it because you only graduated high school. You know that there is a computer program out there for $30 that will allow you to insert the required parameters and it will "spit" out the required information _or_ you can go back to school for a couple of years and do it yourself.

The same applies with Anti-Virus applications. Like the internet program that will calculate your amortization schedule the Anti-Virus is a tool that will do the job for you at a cost. Your alternative is to wait two years until you can attain the knowledge required to complete the task yourself but since you have a house in mind two years is too long - someone else will buy it, which equates to you being infected with a virus. The answer is simple. If you don't already possess the tools to do the job then you must purchase one. If you already have the tools why spend the money....

Hope that clarifies the argument....

[catch]

Let say you educate all the employees in your company to not ever open mail from "untrusted" sources. ...now you are safe, so safe you don't need any AV??

Seriously, have you even read this thread? It isn't about training your users, it is about using technical architecture that again, enforces roles using finely grained permissions and least privilege as well as using multi-account sessions.

Users can't run viruses, worms, or trojans if they wanted to in this environment.

Why does this make more sense? Again remember, anything a virus can do, an attacker can do as well. It's not like viruses have special abilities to bypass process protections, so if you are relying on an AV, what is protecting you against an attacker, internal or external doing the same actions?

AV software increases the complexity of the system, as stated above doesn't actually resove the underlying security issues, don't resolve new viruses, and require constant upkeep. What is more, many AV tools actually introduce new tools by running at such a low level on the system while allowing any user to have interactive session. How is this different than say... running Apache as root?

AV software is bad... it is only useful on single user systems like Win9x/Me since none of typical security issues associated with running additional, privileged software are not present since the computer lacks the concept of permissions and privileges to begin with.

ss2chef, none of those guidelines require AV software, they merely provide guidelines for what AV software they approve of if you use it. This reasoning is based on the fact that knowledge of role based systems has dramatically increased over the last few years and wasn't considered as tried and true within an NT environment at the time.

DARPA has come out with a few solicitations regarding the failings of AV software and methods for dealing with network worms. In the coming years it will be more and more apaprent that AV tools are ineffective, but also keep in mind that AV organizations are a billion dollar industry... and if there is one thing that companies need to know how to do to survive capitolism is to create a need.

cheers,

catch

[Lightning_Girl]

Is antivirus software really necessary?

I think it is. You will help prevent u from getting 1 so u don't have a crashed pc.

I agree w/ almost everyperson in this post. From my personal expierence. Have some type of antivirus software.

[Tiger Shark]

I agree w/ almost everyperson in this post. From my personal expierence. Have some type of antivirus software.

Which ones don't you agree with? Because about half of them say you don't need it.....

[ss2chef]

Originally posted here by catch

ss2chef, none of those guidelines require AV software, they merely provide guidelines for what AV software they approve of if you use it. This reasoning is based on the fact that knowledge of role based systems has dramatically increased over the last few years and wasn't considered as tried and true within an NT environment at the time.

DARPA has come out with a few solicitations regarding the failings of AV software and methods for dealing with network worms. In the coming years it will be more and more apaprent that AV tools are ineffective, but also keep in mind that AV organizations are a billion dollar industry... and if there is one thing that companies need to know how to do to survive capitolism is to create a need.

cheers,

catch

While I understand your distinctions...
I feel it is important to note that they are more than just guidelines.
Any suspect SRR (Security Readiness Report) can and often does boil down to
ATO (Authority To Operate) being denied.

When that happens, ones opinion on the merits of AV software matter very little.

From my personal experience , DoD does not consider AV to be an optional
suggestion.

Can you privide any links to actual directive that I can site to my IAO and PMO?
I'm dying to get the AV removal process started..

[catch]

ss2chef: http://www.radium.ncsc.mil/tpep/libr...C1-TR-001.html

"Computer Viruses: Prefvention, Detection, and Treatment" with no mention of using after the fact solutions like AV software.

Straight from the horses mouth. Start with that, if you'd like more resources I'll dig them up for you from the ACM library... but for now I am heading off to lunch.

cheers,

catch